Compare commits
No commits in common. "alex" and "rawhide" have entirely different histories.
5 changed files with 69 additions and 251 deletions
|
@ -2,39 +2,69 @@
|
||||||
|
|
||||||
# Version suffix in URL when building release candidates
|
# Version suffix in URL when building release candidates
|
||||||
%global rcx %{nil}
|
%global rcx %{nil}
|
||||||
%global ghversion 1.66.0
|
|
||||||
|
|
||||||
%{?python_enable_dependency_generator}
|
%{?python_enable_dependency_generator}
|
||||||
|
|
||||||
%if "%{rcx}"
|
|
||||||
%global rcv ~%{rcx}
|
|
||||||
%else
|
|
||||||
%global rcv %{nil}
|
|
||||||
%endif
|
|
||||||
|
|
||||||
Name: matrix-%{srcname}
|
Name: matrix-%{srcname}
|
||||||
Version: %{ghversion}%{rcv}
|
Version: 1.26.0
|
||||||
Release: 1%{?dist}
|
Release: 1%{?dist}
|
||||||
Summary: A Matrix reference homeserver written in Python using Twisted
|
Summary: A Matrix reference homeserver written in Python using Twisted
|
||||||
License: ASL 2.0
|
License: ASL 2.0
|
||||||
URL: https://github.com/matrix-org/%{srcname}
|
URL: https://github.com/matrix-org/%{srcname}
|
||||||
Source0: %{url}/archive/v%{ghversion}%{rcx}/%{srcname}-%{ghversion}%{rcx}.tar.gz
|
Source0: %{url}/archive/v%{version}%{rcx}/%{srcname}-%{version}%{rcx}.tar.gz
|
||||||
Source1: synapse.sysconfig
|
Source1: synapse.sysconfig
|
||||||
Source2: synapse.service
|
Source2: synapse.service
|
||||||
Source4: synapse@.service
|
|
||||||
|
|
||||||
Source3: matrix-synapse.sysusers
|
|
||||||
BuildArch: noarch
|
BuildArch: noarch
|
||||||
|
|
||||||
Recommends: %{name}+postgres
|
|
||||||
Recommends: %{name}+systemd
|
|
||||||
|
|
||||||
BuildRequires: python3-devel
|
BuildRequires: python3-devel
|
||||||
|
BuildRequires: python3-setuptools
|
||||||
|
|
||||||
|
# Test dependencies
|
||||||
|
BuildRequires: python3-mock >= 2.0
|
||||||
|
BuildRequires: python3-parameterized >= 0.7.0
|
||||||
BuildRequires: /usr/bin/openssl
|
BuildRequires: /usr/bin/openssl
|
||||||
BuildRequires: systemd-rpm-macros
|
|
||||||
# Workaround missing python-saml2 dependencies in f35 and f36.
|
# Package dependencies
|
||||||
|
#BuildRequires: python3-txacme >= 0.9.2
|
||||||
|
BuildRequires: python3-attrs >= 19.1.0
|
||||||
|
BuildRequires: python3-authlib
|
||||||
|
BuildRequires: python3-bcrypt >= 3.1.0
|
||||||
|
BuildRequires: python3-bleach >= 1.4.3
|
||||||
|
BuildRequires: python3-canonicaljson >= 1.4.0
|
||||||
|
BuildRequires: python3-daemonize >= 2.3.1
|
||||||
|
BuildRequires: python3-frozendict >= 1.0
|
||||||
|
BuildRequires: python3-idna >= 2.5
|
||||||
|
BuildRequires: python3-jinja2 >= 2.9
|
||||||
|
BuildRequires: python3-jsonschema >= 2.5.1
|
||||||
|
BuildRequires: python3-jwt
|
||||||
|
BuildRequires: python3-lxml >= 3.5.0
|
||||||
|
BuildRequires: python3-matrix-synapse-ldap3 >= 0.1
|
||||||
|
BuildRequires: python3-msgpack >= 0.5.2
|
||||||
|
BuildRequires: python3-netaddr >= 0.7.18
|
||||||
|
BuildRequires: python3-phonenumbers >= 8.2.0
|
||||||
|
BuildRequires: python3-pillow >= 4.3.0
|
||||||
|
BuildRequires: python3-prometheus_client
|
||||||
|
BuildRequires: python3-pyOpenSSL >= 16.0.0
|
||||||
|
BuildRequires: python3-pyasn1 >= 0.1.9
|
||||||
|
BuildRequires: python3-pyasn1-modules >= 0.0.7
|
||||||
|
BuildRequires: python3-pymacaroons-pynacl >= 0.13.0
|
||||||
|
BuildRequires: python3-pynacl >= 1.2.1
|
||||||
|
BuildRequires: python3-pysaml2 >= 4.5.0
|
||||||
|
BuildRequires: python3-pyyaml >= 3.11
|
||||||
|
BuildRequires: python3-service-identity >= 18.1.0
|
||||||
|
BuildRequires: python3-signedjson >= 1.1.0
|
||||||
|
BuildRequires: python3-sortedcontainers >= 1.4.4
|
||||||
|
BuildRequires: python3-systemd >= 231
|
||||||
|
BuildRequires: python3-treq >= 15.1
|
||||||
|
BuildRequires: python3-twisted >= 18.9.0
|
||||||
|
BuildRequires: python3-typing-extensions >= 3.7.4
|
||||||
|
BuildRequires: python3-unpaddedbase64 >= 1.1.0
|
||||||
|
BuildRequires: systemd
|
||||||
BuildRequires: xmlsec1
|
BuildRequires: xmlsec1
|
||||||
BuildRequires: xmlsec1-openssl
|
|
||||||
|
Requires(pre): shadow-utils
|
||||||
|
Requires: systemd
|
||||||
|
%{?systemd_requires}
|
||||||
|
|
||||||
%description
|
%description
|
||||||
Matrix is an ambitious new ecosystem for open federated Instant Messaging and
|
Matrix is an ambitious new ecosystem for open federated Instant Messaging and
|
||||||
|
@ -44,207 +74,67 @@ to showcase the concept of Matrix and let folks see the spec in the context of
|
||||||
a coded base and let you run your own homeserver and generally help bootstrap
|
a coded base and let you run your own homeserver and generally help bootstrap
|
||||||
the ecosystem.
|
the ecosystem.
|
||||||
|
|
||||||
%pyproject_extras_subpkg -n %{name} matrix-synapse-ldap3 postgres saml2 oidc systemd url_preview jwt cache_memory
|
|
||||||
|
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1 -n %{srcname}-%{ghversion}%{rcx}
|
%autosetup -p1 -n %{srcname}-%{version}%{rcx}
|
||||||
|
|
||||||
#sed -i 's|"cryptography>=3.4.7",|"cryptography>=3.4",|' synapse/python_dependencies.py
|
|
||||||
#rm tests/storage/test_background_update.py
|
|
||||||
|
|
||||||
# We don't support the built-in client so remove all the bundled JS.
|
# We don't support the built-in client so remove all the bundled JS.
|
||||||
rm -rf synapse/static
|
rm -rf synapse/static
|
||||||
|
|
||||||
|
|
||||||
%generate_buildrequires
|
|
||||||
# Missing: sentry,opentracing,redis
|
|
||||||
%pyproject_buildrequires -x test,matrix-synapse-ldap3,postgres,saml2,oidc,systemd,url_preview,jwt,cache_memory
|
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
%build
|
%build
|
||||||
%pyproject_wheel
|
%py3_build
|
||||||
|
|
||||||
|
|
||||||
%install
|
%install
|
||||||
%pyproject_install
|
%py3_install
|
||||||
%py3_shebang_fix %{buildroot}%{python3_sitelib}/%{srcname}/_scripts
|
|
||||||
%pyproject_save_files %{srcname}
|
# Synapse includes some benchmarks in a separate Python package named "synmark"
|
||||||
|
# which is installed by default. Remove it to avoid shipping it in the Fedora
|
||||||
|
# package, since it is unlikely to be useful to end users.
|
||||||
|
rm -r %{buildroot}%{python3_sitelib}/synmark/
|
||||||
|
|
||||||
install -p -D -T -m 0644 contrib/systemd/log_config.yaml %{buildroot}%{_sysconfdir}/synapse/log_config.yaml
|
install -p -D -T -m 0644 contrib/systemd/log_config.yaml %{buildroot}%{_sysconfdir}/synapse/log_config.yaml
|
||||||
install -p -D -T -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/synapse
|
install -p -D -T -m 0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/sysconfig/synapse
|
||||||
install -p -D -T -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/synapse.service
|
install -p -D -T -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/synapse.service
|
||||||
install -p -D -T -m 0644 %{SOURCE2} %{buildroot}%{_unitdir}/synapse@.service
|
|
||||||
install -p -d -m 755 %{buildroot}/%{_sharedstatedir}/synapse
|
install -p -d -m 755 %{buildroot}/%{_sharedstatedir}/synapse
|
||||||
install -p -D -m 0644 %{SOURCE3} %{buildroot}%{_sysusersdir}/%{name}.conf
|
|
||||||
|
|
||||||
%check
|
%check
|
||||||
set -o pipefail
|
PYTHONPATH=. trial-3 tests
|
||||||
PYTHONPATH=%{buildroot}%{python3_sitearch}:%{buildroot}%{python3_sitelib}:$PWD trial-3 tests | tee trial.stdout
|
|
||||||
|
|
||||||
# Guard against new types of tests being skipped.
|
|
||||||
WHITELIST="Requires hiredis
|
|
||||||
Requires jaeger_client
|
|
||||||
Requires Postgres
|
|
||||||
\`BaseFederationServlet\` does not support cancellation yet."
|
|
||||||
REASONS=$(cat trial.stdout | sed -n '/^\[SKIPPED\]$/{n;p;}')
|
|
||||||
SKIPPED=$(comm -23 <(echo "$REASONS" | sort | uniq) <(echo "$WHITELIST" | sort | uniq))
|
|
||||||
if [ ! -z "$SKIPPED" ]; then
|
|
||||||
echo -e "Failing, because tests were skipped:\n$SKIPPED"
|
|
||||||
exit 1
|
|
||||||
fi
|
|
||||||
|
|
||||||
|
|
||||||
%pre
|
%pre
|
||||||
%sysusers_create_compat %{SOURCE3}
|
getent group synapse >/dev/null || groupadd -r synapse
|
||||||
|
getent passwd synapse >/dev/null || \
|
||||||
|
useradd -r -g synapse -d %{_sharedstatedir}/synapse -s /sbin/nologin \
|
||||||
|
-c "The user for the Synapse Matrix server" synapse
|
||||||
|
exit 0
|
||||||
|
|
||||||
%post
|
%post
|
||||||
%systemd_post synapse.service
|
%systemd_post synapse.service
|
||||||
%systemd_post synapse@*.service
|
|
||||||
|
|
||||||
|
|
||||||
%preun
|
%preun
|
||||||
%systemd_preun synapse.service
|
%systemd_preun synapse.service
|
||||||
%systemd_preun synapse@*.service
|
|
||||||
|
|
||||||
|
|
||||||
%postun
|
%postun
|
||||||
%systemd_postun_with_restart synapse.service
|
%systemd_postun_with_restart synapse.service
|
||||||
%systemd_postun_with_restart synapse@*.service
|
|
||||||
|
|
||||||
%files -f %{pyproject_files}
|
|
||||||
|
%files
|
||||||
%license LICENSE
|
%license LICENSE
|
||||||
%doc *.rst
|
%doc *.rst
|
||||||
%config(noreplace) %{_sysconfdir}/sysconfig/synapse
|
%config(noreplace) %{_sysconfdir}/sysconfig/synapse
|
||||||
|
%{python3_sitelib}/synapse/
|
||||||
|
%{python3_sitelib}/matrix_synapse*.egg-info/
|
||||||
%{_bindir}/*
|
%{_bindir}/*
|
||||||
%{_unitdir}/synapse.service
|
%{_unitdir}/synapse.service
|
||||||
%{_unitdir}/synapse@.service
|
|
||||||
%attr(755,synapse,synapse) %dir %{_sharedstatedir}/synapse
|
%attr(755,synapse,synapse) %dir %{_sharedstatedir}/synapse
|
||||||
%attr(755,synapse,synapse) %dir %{_sysconfdir}/synapse
|
%attr(755,synapse,synapse) %dir %{_sysconfdir}/synapse
|
||||||
%attr(644,synapse,synapse) %config(noreplace) %{_sysconfdir}/synapse/*
|
%attr(644,synapse,synapse) %config(noreplace) %{_sysconfdir}/synapse/*
|
||||||
%{_sysusersdir}/%{name}.conf
|
|
||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
* Tue Jul 26 2022 Kai A. Hiller <V02460@gmail.com> - 1.63.1-1
|
|
||||||
- Update to v1.63.1
|
|
||||||
|
|
||||||
* Thu Jul 21 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.62.0-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_37_Mass_Rebuild
|
|
||||||
|
|
||||||
* Thu Jul 14 2022 Kai A. Hiller <V02460@gmail.com> - 1.62.0-1
|
|
||||||
- Update to v1.62.0
|
|
||||||
|
|
||||||
* Wed Jun 29 2022 Kai A. Hiller <V02460@gmail.com> - 1.61.1-1
|
|
||||||
- Update to v1.61.1
|
|
||||||
- Fix CVE-2022-31052
|
|
||||||
|
|
||||||
* Tue Jun 14 2022 Kai A. Hiller <V02460@gmail.com> - 1.61.0-1
|
|
||||||
- Update to v1.61.0
|
|
||||||
|
|
||||||
* Thu Jun 09 2022 Kai A. Hiller <V02460@gmail.com> - 1.60.0-1
|
|
||||||
- Update to v1.60.0
|
|
||||||
|
|
||||||
* Thu May 19 2022 Kai A. Hiller <V02460@gmail.com> - 1.59.1-1
|
|
||||||
- Update to v1.59.1
|
|
||||||
|
|
||||||
* Wed May 18 2022 Kai A. Hiller <V02460@gmail.com> - 1.59.0-1
|
|
||||||
- Update to v1.59.0
|
|
||||||
|
|
||||||
* Wed May 04 2022 Kai A. Hiller <V02460@gmail.com> - 1.58.0-1
|
|
||||||
- Update to v1.58.0
|
|
||||||
|
|
||||||
* Thu Apr 21 2022 Dan Callaghan <djc@djc.id.au> - 1.57.0-1
|
|
||||||
- Update to v1.57.0
|
|
||||||
|
|
||||||
* Tue Apr 05 2022 Kai A. Hiller <V02460@gmail.com> - 1.56.0-1
|
|
||||||
- Update to v1.56.0
|
|
||||||
|
|
||||||
* Thu Mar 24 2022 Kai A. Hiller <V02460@gmail.com> - 1.55.0-1
|
|
||||||
- Update to v1.55.0
|
|
||||||
|
|
||||||
* Tue Mar 08 2022 Kai A. Hiller <V02460@gmail.com> - 1.54.0-1
|
|
||||||
- Update to v1.54.0
|
|
||||||
|
|
||||||
* Tue Feb 22 2022 Kai A. Hiller <V02460@gmail.com> - 1.53.0-1
|
|
||||||
- Update to v1.53.0
|
|
||||||
|
|
||||||
* Wed Feb 09 2022 Kai A. Hiller <V02460@gmail.com> - 1.52.0-2
|
|
||||||
- Backport: Fix losing incoming EDUs if debug logging enabled
|
|
||||||
|
|
||||||
* Tue Feb 08 2022 Kai A. Hiller <V02460@gmail.com> - 1.52.0-1
|
|
||||||
- Update to v1.52.0
|
|
||||||
- Create synapse user and group declaratively
|
|
||||||
|
|
||||||
* Thu Jan 27 2022 Kai A. Hiller <V02460@gmail.com> - 1.51.0-1
|
|
||||||
- Update to v1.51.0
|
|
||||||
|
|
||||||
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1.49.2-2
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild
|
|
||||||
|
|
||||||
* Tue Dec 21 2021 Kai A. Hiller <V02460@gmail.com> - 1.49.2-1
|
|
||||||
- Update to v1.49.2
|
|
||||||
|
|
||||||
* Tue Dec 14 2021 Kai A. Hiller <V02460@gmail.com> - 1.49.0-1
|
|
||||||
- Update to v1.49.0
|
|
||||||
|
|
||||||
* Tue Nov 30 2021 Kai A. Hiller <V02460@gmail.com> - 1.48.0-1
|
|
||||||
- Update to v1.48.0
|
|
||||||
|
|
||||||
* Wed Nov 24 2021 Kai A. Hiller <V02460@gmail.com> - 1.47.1-1
|
|
||||||
- Update to v1.47.1
|
|
||||||
- Fix CVE-2021-41281
|
|
||||||
|
|
||||||
* Fri Nov 19 2021 Kai A. Hiller <V02460@gmail.com> - 1.47.0-1
|
|
||||||
- Update to v1.47.0
|
|
||||||
|
|
||||||
* Thu Nov 04 2021 Kai A. Hiller <V02460@gmail.com> - 1.46.0-1
|
|
||||||
- Update to v1.46.0
|
|
||||||
|
|
||||||
* Thu Oct 21 2021 Kai A. Hiller <V02460@gmail.com> - 1.45.1-1
|
|
||||||
- Update to v1.45.1
|
|
||||||
|
|
||||||
* Mon Oct 18 2021 Kai A. Hiller <V02460@gmail.com> - 1.44.0-1
|
|
||||||
- Update to v1.44.0
|
|
||||||
|
|
||||||
* Thu Sep 09 2021 Kai A. Hiller <V02460@gmail.com> - 1.42.0-1
|
|
||||||
- Update to v1.42.0
|
|
||||||
|
|
||||||
* Tue Aug 31 2021 Kai A. Hiller <V02460@gmail.com> - 1.41.1-1
|
|
||||||
- Update to v1.41.1
|
|
||||||
- Fix CVE-2021-39163, CVE-2021-39164
|
|
||||||
|
|
||||||
* Tue Aug 24 2021 Kai A. Hiller <V02460@gmail.com> - 1.41.0-1
|
|
||||||
- Update to v1.41.0
|
|
||||||
|
|
||||||
* Tue Aug 10 2021 Kai A. Hiller <V02460@gmail.com> - 1.40.0-1
|
|
||||||
- Update to v1.40.0
|
|
||||||
|
|
||||||
* Thu Jul 29 2021 Kai A. Hiller <V02460@gmail.com> - 1.39.0-1
|
|
||||||
- Update to v1.39.0
|
|
||||||
|
|
||||||
* Fri Jul 23 2021 Kai A. Hiller <V02460@gmail.com> - 1.38.1-1
|
|
||||||
- Update to v1.38.1
|
|
||||||
|
|
||||||
* Thu Jul 22 2021 Fedora Release Engineering <releng@fedoraproject.org> - 1.38.0-3
|
|
||||||
- Rebuilt for https://fedoraproject.org/wiki/Fedora_35_Mass_Rebuild
|
|
||||||
|
|
||||||
* Sun Jul 18 2021 Dan Callaghan <djc@djc.id.au> - 1.38.0-2
|
|
||||||
- fix startup ordering of synapse.service (RHBZ#1910740)
|
|
||||||
- relax version requirement for python3-cryptography
|
|
||||||
|
|
||||||
* Wed Jul 14 2021 Kai A. Hiller <V02460@gmail.com> - 1.38.0-1
|
|
||||||
- Update to v1.38.0
|
|
||||||
|
|
||||||
* Fri Jun 04 2021 Python Maint <python-maint@redhat.com> - 1.26.0-3
|
|
||||||
- Rebuilt for Python 3.10
|
|
||||||
|
|
||||||
* Tue Mar 02 2021 Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> - 1.26.0-2
|
|
||||||
- Rebuilt for updated systemd-rpm-macros
|
|
||||||
See https://pagure.io/fesco/issue/2583.
|
|
||||||
|
|
||||||
* Thu Jan 28 2021 Kai A. Hiller <V02460@gmail.com> - 1.26.0-1
|
* Thu Jan 28 2021 Kai A. Hiller <V02460@gmail.com> - 1.26.0-1
|
||||||
- Update to v1.26.0
|
- Update to v1.26.0
|
||||||
|
|
||||||
|
|
|
@ -1,2 +0,0 @@
|
||||||
#Type Name ID GECOS Home directory Shell
|
|
||||||
u synapse - "Runs the Synapse Matrix homeserver" /run/synapse /sbin/nologin
|
|
1
sources
Normal file
1
sources
Normal file
|
@ -0,0 +1 @@
|
||||||
|
SHA512 (synapse-1.26.0.tar.gz) = 82ca85aa4dc1e3220f89e7f6815786135fa9bd0b33a1055f63b309b1fa193eeb993f832db573586945191e7195e42926c5342776b249dbc8e83daf4c196f00a4
|
|
@ -1,6 +1,5 @@
|
||||||
[Unit]
|
[Unit]
|
||||||
Description=Synapse Matrix homeserver
|
Description=Synapse Matrix homeserver
|
||||||
After=network-online.target postgresql.service
|
|
||||||
|
|
||||||
[Service]
|
[Service]
|
||||||
Type=notify
|
Type=notify
|
||||||
|
@ -8,7 +7,7 @@ NotifyAccess=main
|
||||||
User=synapse
|
User=synapse
|
||||||
Group=synapse
|
Group=synapse
|
||||||
WorkingDirectory=/var/lib/synapse
|
WorkingDirectory=/var/lib/synapse
|
||||||
ExecStart=/usr/bin/synapse_homeserver --config-path=/etc/synapse/homeserver.yaml
|
ExecStart=/usr/bin/python3 -m synapse.app.homeserver --config-path=/etc/synapse/homeserver.yaml
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
ExecReload=/bin/kill -HUP $MAINPID
|
||||||
# EnvironmentFile=-/etc/sysconfig/synapse # Can be used to e.g. set SYNAPSE_CACHE_FACTOR
|
# EnvironmentFile=-/etc/sysconfig/synapse # Can be used to e.g. set SYNAPSE_CACHE_FACTOR
|
||||||
SyslogIdentifier=synapse
|
SyslogIdentifier=synapse
|
||||||
|
|
|
@ -1,70 +0,0 @@
|
||||||
[Unit]
|
|
||||||
Description=Synapse Worker %i
|
|
||||||
AssertPathExists=/etc/synapse/workers/%i.yaml
|
|
||||||
|
|
||||||
# This service should be restarted when the synapse target is restarted.
|
|
||||||
#PartOf=synapse.target
|
|
||||||
#ReloadPropagatedFrom=synapse.target
|
|
||||||
|
|
||||||
# if this is started at the same time as the main, let the main process start
|
|
||||||
# first, to initialise the database schema.
|
|
||||||
After=synapse.service
|
|
||||||
|
|
||||||
[Service]
|
|
||||||
Type=notify
|
|
||||||
NotifyAccess=main
|
|
||||||
User=synapse
|
|
||||||
WorkingDirectory=/var/lib/synapse
|
|
||||||
ExecStart=/usr/bin/synapse_worker --config-path=/etc/synapse/homeserver.yaml --config-path=/etc/synapse/workers/%i.yaml
|
|
||||||
ExecReload=/bin/kill -HUP $MAINPID
|
|
||||||
Restart=on-failure
|
|
||||||
RestartSec=3
|
|
||||||
SyslogIdentifier=synapse-%i
|
|
||||||
|
|
||||||
Environment="LD_PRELOAD=/usr/lib64/libjemalloc.so.2"
|
|
||||||
CPUAccounting=on
|
|
||||||
MemoryAccounting=on
|
|
||||||
|
|
||||||
MemoryHigh=500M
|
|
||||||
MemoryMax=1G
|
|
||||||
MemorySwapMax=1G
|
|
||||||
|
|
||||||
CPUWeight=75
|
|
||||||
|
|
||||||
PrivateTmp=yes
|
|
||||||
PrivateDevices=true
|
|
||||||
PrivateUsers=true
|
|
||||||
|
|
||||||
CapabilityBoundingSet=
|
|
||||||
AmbientCapabilities=
|
|
||||||
|
|
||||||
DevicePolicy=closed
|
|
||||||
|
|
||||||
ProtectSystem=strict
|
|
||||||
ProtectHome=yes
|
|
||||||
ProtectControlGroups=yes
|
|
||||||
ProtectKernelModules=yes
|
|
||||||
ProtectKernelTunables=yes
|
|
||||||
ProtectClock=true
|
|
||||||
ProtectKernelLogs=yes
|
|
||||||
ProtectHostname=true
|
|
||||||
|
|
||||||
ProtectProc=invisible
|
|
||||||
ProcSubset=pid
|
|
||||||
|
|
||||||
RestrictAddressFamilies=AF_INET AF_INET6 AF_UNIX
|
|
||||||
RestrictNamespaces=yes
|
|
||||||
RestrictRealtime=yes
|
|
||||||
RestrictSUIDSGID=yes
|
|
||||||
|
|
||||||
NoNewPrivileges=yes
|
|
||||||
LockPersonality=yes
|
|
||||||
|
|
||||||
SystemCallArchitectures=native
|
|
||||||
SystemCallFilter=@system-service
|
|
||||||
SystemCallFilter=~@privileged @resources @obsolete
|
|
||||||
|
|
||||||
RemoveIPC=true
|
|
||||||
|
|
||||||
[Install]
|
|
||||||
WantedBy=multi-user.target
|
|
Loading…
Reference in a new issue